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1  Introduction 


In  order  to  develop  and  apply  a  formal  methodology  for  the  specification 
and  verification  of  a  class  of  systems,  the  members  of  the  class  have  to  be 
modeled  by  mathematical  objects.  Such  a  model  should  be  both  adequate, 
in  that  it  distinguishes  between  systems  whose  behaviors  differ  in  one  of 
the  aspects  under  consideration,  and  abstract,  in  that  it  omits  unnecessary 
detsiil  by  identifying  systems  without  such  disagreements. 

We  study  the  class  of  reactive  systems,  which  maintain  an  ongoing  in¬ 
teraction  with  their  environment.  One  well-established  approach  to  the 
modeling  of  reactive  systems  uses  the  paradigm  of  interleaving  to  represent 
concurrent  activity.  Under  this  choice,  the  linear  semantics  of  a  system  is 
the  set  of  aU  possible  behaviors,  where  each  behavior  is  a  (possibly  infinite) 
sequence  of  states  generated  by  performing  the  basic  actions  (transitions)  of 
the  system,  one  at  a  time.  Concurrent  actions  are  linearized;  they  may  be 
performed  in  either  order. 

Consider,  for  example,  the  following  concurrent  system  consisting  of  a 
resource  allocator  Pi  cind  a  client  process  Pj: 


Suppose  that  the  chent  P2  requests  the  resource  (say,  by  setting  a  shared 
variable).  Then  P2  waits  until  the  resource  is  granted  by  Pi,  at  which  point 
P2  goes  ahead  and  uses  the  resource.  When  it  is  finally  released  by  Pj,  the 
allocator  Pi  retakes  control  of  the  resource  smd  wsdts  for  another  request. 

If  we  consider  grant,  redeem,  request,  use,  release,  and  wait  to  be  atomic 
actions,  some  of  the  possible  behaviors  of  this  system  are: 

request  grant  use  release  redeem  . . . 
request  wait  grant  use  release  redeem  . . . 
request  wait  wait  grant  use  release  redeem  . . . 
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To  rule  out  shuffles  of  actions  that  are  unfair  to  a  particular  transition, 
by  preferring  parallel  transitions  ad  infinituin,  the  admissible  behaviors  of  a 
system  are  constrained  by  fairness  conditions.  These  conditions  put,  how¬ 
ever,  no  restrictions  on  the  relative  speed  of  parallel  processes  within  the 
system;  they  ensure  only  that  every  process  will  proceed  “eventually.” 

In  our  resource  allocation  example,  an  appropriate  fairness  condition 
guarantees  that  whenever  the  resource  is  requested,  it  will  eventually  be 
granted;  the  fairness  condition  restricts  the  set  of  possible  behaviors  of  the 
system  by  ruling  out  the  behavior 

request  wait  wait  wait  wait  wait . . . , 

in  which  the  client  process  waits  forever  for  the  resource  to  be  granted. 

If  the  grain  of  atomicity  of  actions  is  chosen  fine  enough,  this  simple  linear 
model  turns  out  to  be  both  adequate  and  convenient  for  the  study  of  many 
qualitative  properties  of  reactive  systems  —  in  particular  the  correctness  of 
concurrent  programs,  independent  of  whether  they  are  implemented  in  mul¬ 
tiprogramming  or  multiprocessing  environments.  There  are  well-understood 
formal  languages  to  specify  the  correctness  properties  of  such  systems,  like 
linear  temporal  logic,  as  well  as  deductive  and  automatic  methods  for  their 
verification  ([Pn77],  [OL82],  [LP84],  [MP89]). 

Observe  that  the  described  model  is  abstract  with  respect  to  time;  it 
identifies  systems  that  admit  the  same  sequences  of  actions,  even  if  they 
do  so  at  radically  different  speeds.  This  simplifies  the  treatment  of  speed- 
independent  systems,  while  it  is  not  adequate  for  real-time  systems,  whose 
correctness  depends  crucially  on  the  actual  times  at  which  actions  are  per¬ 
formed.  Many  communication  protocols  and  control  circuits  are  examples 
of  such  systems. 

Our  goal  is  to  refine  the  linear  model  to  incorporate  time,  and  to  gener¬ 
alize  the  corresponding  specification  and  verification  methodology  to  enable 
the  analysis  of  real-time  systems. 

For  this  purpose,  we  introduce  a  new  process  that  represents  a  global, 
discrete  clock: 

tick 

o 

This  clock  process  performs  the  action  tick  ad  infinitum. 

By  adding  the  clock  process  to  our  resource  allocation  example,  we  ob¬ 
tain,  as  behaviors  of  the  system,  infinite  sequences  of  interleaved  actions 
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of  three  processes  —  the  allocator,  the  client,  and  the  clock.  This  refined 
model  allows  ns  to  put  constraints  on  the  times  at  which  the  actions  of  the 
original  two  processes  happen. 

For  instance,  a  real-time  resource  allocator  may  be  required  to  grant 
the  resource,  provided  it  is  available,  at  most  2  time  units  after  it  is  re¬ 
quested.  Although,  strictly  speaking,  we  cannot  specify  this  property  within 
our  model  if  we  assume  that  actions  take  place  in  real  (continuous)  time, 
we  can  approximate  it  by  requiring  that  between  every  request  and  corre¬ 
sponding  grant  of  the  resource  there  are  at  most  2  clock  ticks.  This  real-time 
requirement  constrains  the  set  of  admissible  behaviors  of  the  resource  allo¬ 
cator,  by  ruling  out  behaviors  such  as 

request  tick  tick  tick  grant  use  tick  release  . . . 
request  tick  wait  tick  tick  wait  tick  grant . . . 

Thus  we  may  view  real-time  requirements  as  finitary  fairness  requirements, 
which  restrict  the  number  of  possible  behaviors  of  a  system. 

Instead  of  adding  the  clock  process  exphcitly  to  every  system,  we  will 
define  the  notion  of  a  timed  behavior  by  associating  times  with  the  states 
of  a  behavior.  The  time  of  each  state  in  a  behavior  is  a  natural  number; 
it  records  the  number  of  clock  ticks  that  have  happened  until  the  state  is 
reached.  Thus,  the  time  difference  between  two  successive  states  may  be 
0,  indicating  that  both  states  occur,  in  the  given  order,  between  successive 
clock  ticks.  All  we  require  is  fairness  with  respect  to  the  clock  process;  that 
is,  any  possible  behavior  of  a  system  contains  infinitely  many  tick  transitions. 

In  the  following,  we  first  develop  the  notion  of  a  real-time  transition 
system  as  a  set  of  timed  behaviors.  To  specify  properties  of  such  systems  we 
use  an  extension  of  hneax  temporal  logic  by  bounded  temporal  operators. 
Then  we  introduce  proof  rules  for  the  verification  of  real-time  properties 
with  respect  to  a  given  system. 

We  present  two  very  diflferent  verification  styles  to  estabhsh  real-time 
properties.  The  first  style  resembles  the  proof-lattice  technique  used  to  show 
liveness  properties  of  reactive  systems;  it  uses  a  small  set  of  basic  rules  and 
does  not  refer  to  the  global  clock  explicitly.  The  second  (“exphcit-clock”) 
proof  style  exploits  the  observation  that  when  given  access  to  the  clock, 
every  real-time  property  can  be  reformulated  as  a  safety  property;  it  uses 
the  standard  (timeless)  temporal  rules  for  establishing  safety  properties  and 
relies  heavily  on  invariances  that  include  assertions  about  the  global  time. 


4 


2  Computational  Model 

We  define  the  semantics  of  a  shared- variables  real-time  system  as  a  set  of 
timed  behaviors.  This  is  done  in  two  steps:  first,  we  associate  with  any 
concrete  shared- variables  system  an  underlying  abstract  real-time  transition 
system;  secondly,  we  identify  the  possible  timed  behaviors  (computations) 
of  any  real-time  transition  system.  The  latter  step  is  presented  first. 

2.1  Abstract  model:  Real-time  transition  system 

The  basic  computational  model  we  use  is  that  of  a  transition  system  ([MP89]), 
which  we  generalize  by  adding  real-time  requirements.  We  classify  the 
real-time  requirements  into  two  categories:  lower-  and  upper-bound  require¬ 
ments.  They  assure  that  transitions  axe  taken  neither  too  early  nor  too  late, 
respectively. 

A  real-time  transition  system  S  =  (F,  S,  0,  T,  consists  of  the  fol¬ 
lowing  components: 

•  a  finite  set  V  of  variables. 

•  a  set  S  of  states.  Every  state  €  E  is  an  interpretation  of  V]  that  is, 
it  assigns  to  every  variable  u  E  V  3,  value  (^{u)  in  its  domain. 

•  a  set  0  C  E  of  initial  states. 

•  a  finite  set  T  of  transitions,  including  the  empty  transition  r®  and  the 
idle  transition  rj. 

Every  transition  r  G  T  is  a  binary  accessibihty  relation  on  E;  that  is, 
it  defines  for  every  state  tr  G  E  a  (possibly  empty)  set  of  r-successors 
r{(r)  C  E.  We  say  that  r  is  enabled  on  iff  r{(7)  ^  0;  a  set  T  of 
transitions  is  enabled  on  tr  iff  some  transition  in  T  is  enabled  on  a. 

The  empty  transition  =  0  is  not  enabled  on  any  state;  the  idle 
(stutter)  transition 

TJ  =  {(or,(7-)  ;  G  S} 

is  enabled  on  every  state. 

•  a  finite  set  £  of  lower-bound  requirements.  Every  lower-bound  require¬ 
ment  {t,T,1)  €  £  for  the  transition  r  £  T  contains,  in  addition  to 
T  ^  Tj,  a.  set  T  CT  of  trigger  transitions  and  a  lower  bound  Z  €  N. 
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•  a  finite  set  U  of  upper-bound  requirements.  Every  upper-bound  re¬ 
quirement  (t,  u)  €U  for  the  transition  t  E  T  contains,  in  addition  to 
T  Tj,  an  upper  bound  u  E  N“.® 

A  timed  state  sequence  p  =  (<r,T)  consists  of  an  infinite  sequence  a  of 
states  (Ti  €  E,  i  >  0,  and  an  infinite  sequence  T  of  corresponding  times 
Ti  €  IM,  i  >  0,  that  satisfy  the  following  conditions: 

•  [Initiality]  To  =  0;  that  is,  the  time  of  the  initial  state  is  0. 

•  [Bounded  monotonicity]  For  all  i  >  0, 

either  Tj+i  =  Tj, 

or  Tj+i  =  Tj  -I- 1  and  o-j+i  =  (Tj; 

that  is,  the  time  never  decreases.  It  may  increase,  by  at  most  1,  only 
between  two  consecutive  states  that  are  identiczil.  The  case  that  the 
time  stays  the  same  between  two  identical  states  is  referred  to  as  a 
stuttering  step;  the  case  that  the  time  increases  is  called  a  clock  tick. 

•  [Progress]  For  all  z  >  0  there  is  some  j  >  i  such  that  Tj  <  Tj-;  that  is, 
the  time  never  stagnates.  Thus  there  are  infinitely  many  clock  ticks. 

The  timed  state  sequence  p  =  (o’jT)  is  a  computation  (run)  of  the  real¬ 
time  transition  system  5  =  (F,S,  0,T,£,W)  iff  it  satisfies  the  following 
properties: 

•  [Initiality]  co  €  ©. 

•  [Consecution]  For  all  t  >  0  there  is  a  transition  r  E  T  such  that 
fT-j+i  E  T(o'i).  We  say  that  t  is  taken  at  position  i  and  completed  at 
position  z  +  1;  a  set  r  of  transitions  is  tziken  (completed)  at  position 
j  iff  some  transition  in  T  is  taken  (completed)  at  j. 

The  empty  transition  is  assumed  to  be  completed  at  position  0.  At 
both  stuttering  steps  and  clock  ticks,  the  idle  transition  tj  may  be 
taken. 

•  [Lower  bound]  Let  a  transition  r  E  T  he  ready  at  position  i  iff,  for 
every  lower-boimd  requirement  (r, T, /)  E  C,  there  is  no  position  j, 
0  <  J  <  i,  such  that  Tj  <  Tj  -|-  /  and  T  is  completed  at  j.  It  follows 

*Let  N*"  =  N  U  {oo}.  For  notational  convenience,  we  assume  that  m  <  n  -I-  oo  for  all 
m,n  €  N. 
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that  whenever  a  trigger  transition  from  T  is  completed,  r  is  not  ready 
for  I  time  units. 

The  timed  state  sequence  p  satisfies  the  lower-boimd  property  iff,  for 
all  r  6  T  and  i  >  0, 

if  r  is  taken  at  position  i, 
then  r  is  ready  at  z; 

that  is,  a  transition  can  be  taken  only  when  it  is  ready  (and  enabled). 

•  [Upper  hound]  For  every  upper-boimd  requirement  (t,  u)  G  U  and  all 
z  >  0,  there  is  some  position  j  >  i  with  T j  <Ji  +  u  such  that 

either  r  is  not  ready  at  j, 
or  T  is  not  enabled  on  crj^ 
or  r  is  taken  at  j ; 

that  is,  the  transition  r  cannot  be  continuously  ready  and  enabled  for 
u  time  units  without  being  taken. 

The  set  of  computations  of  the  system  5  is  closed  under  stuttering: 
the  addition  or  deletion  of  finitely  many  stuttering  steps  to  a.  timed  state 
sequence  preserves  the  property  of  being  a  computation  of  S.  We  consider, 
however,  all  computations  of  S  to  be  infinite;  finite  (terminating  as  well  as 
deadlocking)  computations  can  be  represented  by  infinite  extensions  that 
add  only  clock  ticks. 

Also  observe  that  while  lower-bound  requirements  of  the  form  (r,T,0) 
can  be  discarded  without  changing  the  computations  of  5,  upper-bound 
requirements  of  the  form  (t,  oo)  add  to  S  wedk^faimess  assumptions  (in  the 
sense  of  [MP89]). 

2.2  Concrete  model:  Shared  variables 

The  concrete  real-time  systems  we  consider  consist  of  a  fixed  number  of 
sequential  programs  that  are  executed  in  parallel,  on  separate  processors, 
and  communicate  through  a  shared  memory. 

A  shared-variables  multiprocessing  system  P  has  the  form 

{0}[Plh^A\Pml 

Each  process  1  <  z  <  m,  is  a  sequential  nondeterministic  real-time 
program  over  the  finite  set  Ui  of  private  (local)  data  variables^  and  the  fimte 
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set  Ug  of  shared  data  variables.  The  formula  called  the  data  precondition 
of  P,  restricts  the  initial  values  of  the  variables  in  U  —  Ug  U  Ui<t<m 

The  real-time  programs  Pi  can  be  alternatively  presented  in  a  textual 
progTcimming  language,  or  as  transition  diagrams.  We  shall  use  the  latter, 
graphical,  representation. 

A  transition  diagram  for  the  process  Pi  is  a  finite  directed  graph  whose 
vertices  P  =  aJ'e  called  locations]  1^  is  considered  to  be  the  entry 

location: 


The  intended  meaning  of  the  entry  location  is  that  the  control  of  the  process 
Pi  starts  at  the  location  Iq  at  time  0  (i.e.,  before  the  first  clock  tick). 

Each  edge  in  the  graph  is  labeled  by  a  guarded  instruction,  an  initial 
delay  /  G  N  and,  optionally,  a  delay  increment  u  G 


where  c  is  a  boolean  expression,  x  a  variable,  and  e  an  expression  (the 
guard  true  and  the  initial  delay  0  are  usually  suppressed;  the  instruction 
c  — ►  a;  :=  a:  is  often  abbreviated  to  c?). 

We  say  that  the  process  Pi  is  ready  to  proceed  from  the  location  ij  to  the 
location  4  iff  its  control  has  resided  at  4  at  least  I  time  units  (i.e.,  clock 
ticks).  The  intended  operational  meaning  of  the  given  edge  is  that  whenever 
the  process  Pi  is  ready  to  proceed  from  4  to  i)^  and  the  guard  c  is  true,  then 
Pi  may  proceed  to  The  delay  increment  u  ensures  that  whenever  the 
process  Pi  has  been  ready  to  proceed  from  4  to  for  u  time  units  during 
which  the  guard  c  has  been  continuously  true,  then  Pi  must  proceed  to  4* 
In  doing  so,  the  control  of  Pi  moves  to  the  location  4  “instantaneously,” 
and  the  current  value  of  e  is  assigned  to  x. 

In  other  words,  the  execution  of  the  given  edge  is  first  delayed  for  at  least 
I  time  units,  after  which  the  guzud  c  is  repeatedly  checked  at  least  every  u 
time  units,  until  it  is  found  to  be  true. 

In  general,  a  process  may  have  been  ready  to  proceed  via  several  edges  all 
of  whose  guards  have  been  continuously  true  for  their  corresponding  delay 
increments.  In  this  case,  any  such  edge  is  chosen  nondeterministically. 

We  require  that  each  cycle  in  a  trcinsition  diagram  contains  an  edge  that 
is  labeled  either  with  a  positive  (nonzero)  initial  delay  or  a  positive  delay 
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increment.  This  is  because  cycles  that  consume  no  time  may  prevent  the 
time  from  progressing. 

To  demonstrate  the  scope  of  this  model,  we  show  how  the  typical  real¬ 
time  application  of  a  timeout  situation  can  be  represented.  Consider  the 
process  P  with  the  following  trcinsition  diagram: 


When  at  the  location  Iq,  the  process  P  attempts  to  proceed  to  the  location 
ti  for  10  time  units,  by  checking  the  value  of  x  at  least  once  every  time  unit. 
If  the  value  of  x  is  different  from  0  at  least  once  every  time  unit,  then  P 
may  not  succeed  and  has  to  proceed  to  the  alternative  location  £2  time 
10  (note  that  the  delay  increment  0  ensures  that  the  vacuous  guard  true  is 
indeed  checked  after  the  initial  delay  of  10  time  units). 

This  operational  view  of  the  concrete  model  can  be  captured  by  a  simple 
translation.  With  the  given  shared- variables  multiprocessing  system  P ,  we 
associate  the  following  real-time  transition  system  Sp  —  {V,'L,Q,T,£,U)- 

•  V  =  U  Li  {tti  ,  ...'Km}-  Each  control  variable  I  <  i  <  m,  ranges  over 
the  locations  L*  of  the  corresponding  process  Pi. 

•  E  contains  aU  interpretations  of  V. 

•  ©  =  {o-€E:o-|=0,  and  <r(7ri)  =  for  all  1  <  i  <  m}. 

•  T  contains,  in  addition  to  and  tj,  a  transition  T£  for  every  edge 
E  in  the  transition  diagrams  for  Pi, . . .  Pm-  If  E  connects  the  source 
location  1)  to  the  target  location  4  and  is  labeled  by  the  instruction 
c  —*  X  :=  e,  then  c'  E  te{ct)  iff 

•  cr(iri)  =  4  and  <r'(7ri)  =  4. 

•  tr  t=  c  and  <t'{x)  =  (r(e),  and 

•  tr'(y)  =  cr{y)  for  aR  y  E  V  -  {7ri,i}. 

If  TE  is  uniquely  determined  by  its  source  and  target  locations,  we 
often  write 
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By  Pred[TE)  we  denote  the  set  of  syntactic-predecessor  transitions 
of  tje;  that  is,  all  transitions  te’  such  that  the  target  location  of  E' 
coincides  with  the  source  location  of  E.  If  the  source  location  of  E  is 
an  entry  location,  then  Pred{TE)  =  {to}. 

•  £  contains  a  lower-bound  requirement  (t£,  Pred{TE),l)  for  every  edge 
E  labeled  by  the  initial  delay  1. 

•  Vi  contains  an  upper-bound  reqmrement  [te,'u)  for  every  edge  E  la¬ 
beled  by  the  delay  increment  it. 

This  translation  defines  the  set  of  possible  computations  of  the  concrete 
system  P  as  a  set  of  timed  state  sequences. 

We  remark  that  the  translation  is  conservative  over  the  untimed  case. 
Suppose  that  the  system  P  contains  no  delay  labels  (recall  that,  in  this  case, 
all  initial  delays  are  0).  Then  the  state  components  of  the  computations  of 
Sp  are  precisely  all  the  legal  execution  sequences  of  P,  as  defined  in  the 
interleaving  model  of  concurrency  ([MP89]). 

If  the  delay  increment  oo  is  added  to  all  edges  of  P,  progress  is  guaranteed 
for  every  individual  transition  and,  thus,  for  every  process:  no  transition  can 
be  continuously  enabled  (and  ready)  without  being  taken.  In  this  case,  the 
computations  of  Sp  correspond  precisely  to  the  execution  sequences  of  P 
that  are  weakly  fair  with  respect  to  every  transition. 


3  Specification  Language 

Having  settled  on  our  computational  model,  we  need  a  sufficiently  expres¬ 
sive  language  that  is  interpreted  over  timed  state  sequences  in  order  to 
specify  real-time  systems.  We  distinguish  between  state  formulas,  which  as¬ 
sert  properties  of  individual  states  of  a  computation,  and  temporal  formulas, 
which  assert  properties  of  entire  computations. 

3.1  State  formulas 

Given  a  real-time  transition  system  5  =  (V^, E,  ©,  T, £,W),  we  assume  a 
first-order  language  with  equality  that  contains  interpreted  function  amd 
predicate  symbols  to  express  operations  and  relations  on  the  domains  of  the 
variables  in  V.  Formulas  of  this  language  are  interpreted  over  the  states  in 
E,  and  called  state  formulas.  If  the  state  formula  p  is  true  in  state  <r,  we  say 
that  <r  is  a  p- state. 
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We  use  the  following  abbreviations  for  state  formulas: 

•  The  starting  condition  start  holds  precisely  in  the  initial  states  ©. 

•  For  any  transition  r  e  T  and  state  formuleis  p  and  q,  the  verification 

condition  {p}T{q}  asserts  that  if  p  is  true  of  a  state  <7  €  E,  then  q 
is  true  of  all  r-successors  of  a.  For  any  set  T  C  T  of  transitions,  we 
write  {p}T{q}  for  the  conjunction  At^t  individual 

verification  conditions. 

Note  that  the  special  cases  {p}T0{g}  and  {p}T/{g}  are  equivalent  to 
true  and  p  q,  respectively. 

•  For  any  transition  t  £  T,  the  conditions  enabled{T),  ready{T),  and 
completed{T)  assert  that  t  is  enabled,  ready,  and  completed,  respec¬ 
tively.  For  any  set  T  C  T  of  transitions,  we  write  compleied{T)  for 
the  disjunction  VreT  co7rap/eted(T). 

Note  that  enabled{T^)  and  enabled{Tj)  are  equivzilent  to  false  and  true, 
respectively. 

For  the  case  that  the  real-time  transition  system  5  is  associated  with  a 
shared- variables  multiprocessing  system  P,  it  is  easy  to  see  that  the  starting 
condition,  verification  conditions,  eind  enabling  conditions  can  indeed  be 
expressed  by  state  formulas. 

Suppose  that  P  consists  of  m  processes  Pi,  1  <  t  <  m.  Let  at{£j)  stsind 
for  TTj  =  iy,  that  is,  the  control  of  the  process  Pi  is  at  the  location  tj.  If  0  is 
the  data  precondition  of  P,  then  the  starting  condition  start  is  equivalent 
to  the  state  formula 

6  A  (^  /\  at(^o))  ^  coTnpleted{Tiii). 

l<i<m 

Let  T  e  T  be  a  transition  of  5,  and  E  the  corresponding  edge  in  the 
transition  diagrcim  for  P;  assume  that  E  connects  the  location  Pj  to  the 
location  l\  and  is  labeled  by  the  instruction  c  x  :=  e.  Then,  the 
enabling  condition  enabled{T)  is  equivalent  to  the  state  formula 

at{Pj)  A  c, 

and  the  verification  condition  {p}T{g}  is  equivcilent  to 

p  A  Teady{r)  A  enabled{T)  A  at{ty)'  A  completed^T)'  A 

{x'  =  e)  A  ^y^v-{■Ki,x}{y'  =  y) 
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where  q'  is  obtained  from  q  by  replacing  every  variable  with  its  primed 
version  (for  example,  stands  for  tt,-  =  ^t)- 

The  reader  may  guess,  correctly,  that  the  two  conditions  ready{r)  and 
completed{T)  can,  in  general,  not  be  expressed  by  state  formulas  of  5,  be¬ 
cause  their  truth  values  in  a  state  <r  of  a  timed  state  sequence  depend  on 
the  transitions  preceding  <r.  This  is  the  case  even  if  the  real-time  transi¬ 
tion  system  S  originates  from  a  shared- variables  multiprocessing  system.  In 
Section  5,  we  wiU  show  how  the  notion  of  state  can  be  extended,  by  en¬ 
coding  information  about  past  transitions,  to  allow  for  the  definition  of  the 
conditions  Teadyir)  and  completed (r)  as  state  formulas. 

In  the  following  it  suffices,  however,  to  view  both  abbreviations  ready{T) 
and  completed {t),  for  any  transition  t  eT,  as  primitive,  nonrigid,  proposi¬ 
tions  that  satisfy  certain  axioms  (the  truth  value  of  a  nonrigid,  or  flexible, 
proposition  is  evaluated  at  a  position  of  a  timed  state  sequence;  it  may  dif¬ 
fer  at  two  positions  i  and  j  of  a  sequence  p  =  (o’jT)  even  if  Cj  =  Oj  and 
Ti=T,). 

The  axiom  COMP  asserts  that,  at  any  position  of  a  timed  state  se¬ 
quence,  precisely  one  transition  has  been  completed: 

^  completed{r) 

T^r 

(read  the  connective  0  as  exclusive- or).  The  axiom  schema  READY-INV 
states  that  the  condition  ready (t)  is  preserved  by  all  transitions  that  do  not 
trigger  a  lower-bound  requirement  for  r: 

(ready(r)  A  compleied[fy)  — ►  ready(r)' 

if  f  ^  T  for  all  (r,r,/)  €  C  (as  with  variables,  we  introduce  a  primed 
version  for  every  proposition).  These  axioms  turn  out  to  be  sufficient  for 
our  purpose. 

Thus,  whenever  we  speak  of  state  formulas^  we  shall  admit  the  proposi¬ 
tions  ready(r)  and  completed{T)  (formally  meaning  extended-state  formulas 
in  the  sense  of  Section  5).  In  psirticular,  we  wiU  never  talk  about  the  truth 
value  of  a  state  formula  with  respect  to  a  particular  state,  but  only  with 
respect  to  a  particular  position  within  a  timed  state  sequence.  For  instance, 
we  may  say  that  the  i-th  state  (Xi  of  the  timed  state  sequence  p  =  (^t,T)  is 
a  ready(r)-state,  meaning  that  the  transition  r  is  ready  at  position  i  of  p. 
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3.2  Temporal  formulas 

Temporal  formulas  are  constructed  from  state  formulas  by  boolean  connec¬ 
tives  and  boimded  temporal  operators;  they  are  interpreted  over  timed  state 
sequences.  In  this  paper,  we  are  mostly  interested  in  proving  two  important 
classes  of  real-time  properties  —  boimded-response  and  bounded-invariance 
properties.  Thus  we  restrict  ourselves  to  three  kinds  of  temporal  formulas. 

•  A  bounded-response  property  asserts  that  something  will  happen  within 
a  certain  amount  of  time.  A  typical  apphcation  of  bounded  response 
is  to  state  an  upper  bound  u  on  the  termination  of  a  system  5:  if 
started  at  time  0,  then  5  is  guaranteed  to  reach  a  final  state  no  later 
than  at  time  u. 

Formally,  we  express  bounded-response  properties  by  temporal  formu¬ 
las  of  the  form 

P  ^  ^<U  ?J 

for  state  formulas  p  and  q  and  u  €  N.  The  formula  p  <><„  g  is  true 
over  the  timed  state  sequence  p  =  (o',  T)  iff,  for  all  i  >  0, 

if  Ui  is  a  p-state, 

then  there  is  some  5-state  Oj,  j  >  i,  such  that  Tj  <  Tj  -H  u; 
that  is,  every  p-state  is  followed  by  a  5-state  within  time  u. 

•  A  bounded-invariance  property  asserts  that  something  will  hold  con¬ 
tinuously  for  a  certain  amount  of  time;  it  is  often  used  to  specify  that 
something  will  not  happen  for  a  certedn  amount  of  time.  A  typical 
application  of  bounded  invariance  is  to  state  a  lower  bound  I  on  the 
termination  of  a  system  5:  if  started  at  time  0,  then  5  will  not  reach 
a  final  state  before  time  1. 

Formally,  we  express  bounded-invariance  properties  by  temporal  for- 
mulEis  of  the  form 

p  =>  □<j5, 

for  state  formulas  p  and  5  and  /  6  ISl.  The  formula  p  ^  □<;  9  is  true 
over  the  timed  state  sequence  p  =  (a,  T)  iff,  for  aU  i  >  0  and  j  >  i, 

if  £7i  is  a  p-state  and  Tj  <  +  I, 

then  (Tj  is  a  5-state; 

that  is,  no  p-state  is  followed  by  a  ->5-state  within  time  less  than  Z. 
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•  To  prove  bounded-invariance  properties,  we  sometimes  need  to  be  able 
to  express  a  stronger  assertion  than  bounded  invariance,  that  a  p- state 
can  be  followed  by  a  5- state  only  if  two  conditions  are  meti  the  time 
difference  is  at  least  /,  and  there  is  an  intermediate  r-state.  This 
bounded-unless  property  is  expressed  by  the  temporal  formula 

p  =>  gU>;r, 

for  state  formulas  p,  g,  and  r ,  and  /  6  I\l;  it  is  true  over  the  timed  state 
sequence  p  =  (^,T)  iff,  for  all  i  >  0, 

if  ai  is  a  p-state, 

then  either  all  subsequent  o*j,  j  >  i,  are  g-states, 
or  there  is  some  r-state  j  >  i,  such  that  >  Ti  + 1  and 
all  intermediate  crk,  i  ^  <  i?  a-re  g-states; 

that  is,  every  p-state  is  followed  by  a  (possibly  infinite)  sequence  of 
g-states  until  there  is  an  r-state,  which  cannot  be  closer  than  time  1. 

It  is  not  hard  to  see  that  the  bounded-invariance  formula  p  =>  □</  g 
is  equivalent  to  the  bounded-unless  formula  p  =>  g  U>/  (ig). 

While  temporal-logic  aficionados  will  readily  recogmze  the  three  classes 
of  formulas  we  have  introduced  as  time-bounded  versions  of  conventional, 
composite,  invariance^  response^  and  unless  formulae  ([MP89]),  for  our  pur¬ 
pose  it  suffices  to  consider  them  primitive  (for  a  general  addition  of  time- 
bounded  operators  to  linear  temporal  logic,  see  [AH90]). 

We  say  that  a  temporal  formula  is  S- valid  iff  it  is  true  over  all  compu¬ 
tations  of  the  real-time  transition  system  5;  for  state  formulas  we  do  not 
distinguish  between  5- validity  and  (general)  validity  (i,e.,  truth  under  ev¬ 
ery  interpretation).  A  proof  rule  is  called  sound  iff  the  5- validity  of  all 
premises  implies  the  5- validity  of  the  conclusion. 

Any  5-sound  rule  can  be  used  for  verifying  properties  of  the  system  5 . 
Consider  the  following  bounded-invariance  rule  BD-INV,  which  allows  us 
to  conclude  the  bounded- invariance  formula  p  =>  g  from  the  bounded- 
unless  formula  p  ^  g  U>/  r,  for  any  state  formulas  p,  g,  and  r: 


BD-INV 

p  ^  gU>jr 

P  =>  °<i  9 

It  is  not  hard  to  convince  ourselves  that  this  rule  is  5-sound  for  every  real¬ 
time  transition  system  5. 
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4  Verification  rules 


We  show  how  to  prove  that  a  given  deterministic  real-time  transition  system 
5  =  0,T,£,W)  satisfies  its  specification.  In  particular,  we  present 

a  deductive  system  to  estabhsh  the  5-validity  of  bounded-invariance  and 
bounded-response  properties.  The  proof  rules  fall  into  four  categories:  the 
single-step  rules  derive  real-time  properties  that  follow  from  a  single  real¬ 
time  requirement,  while  the  transitivity ^  disjunction,  and  induction  rules 
combine  real-time  properties  into  more  comphcated  ones. 

4.1  Single-step  rules 

First,  we  present  basic  single-step  rules,  which  establish  bounded-invariance 
and  bounded- response  properties  that  are  enforced  by  a  single  lower-bound 
or  upper-bound  requirement,  respectively. 

The  single-step  lower-bound  rule,  SS-LB,  uses  a  lower-bound  require¬ 
ment  (r,T,/)  €  C: 


SS-LB  (1) 

p  completed{T) 

(2) 

p-*<p 

(3) 

{(p}T-T{(p} 

(4) 

tp-*  q 

P 

By  T  —  T  we  denote  the  set  difference  T  -  {r}.  The  state  formula  (f  is  called 
the  invariant  of  the  rule. 

We  point  out  that  the  rule  SS-LB  derives  a  temporal  (bounded-invariance) 
formula  from  premises  all  of  which  are  state  formulas.  Note  that  the  premise 
(3)  is  always  valid  for  the  empty  transition  r®  and  the  idle  transition  rj.  This 
is  because  is  never  enabled,  and  r/  preserves  every  invariant. 

To  see  that  the  rule  SS-LB  is  5-sound,  suppose  that  the  premises  (1) 
through  (4)  are  valid,  and  consider  an  arbitrary  computation  of  5  containing 
a  p-state  a*.  By  premise  (1),  some  trigger  transition  from  T  is  completed 
at  position  z;  thus  r  cannot  be  taken  at  any  position  j  >i  within  time  less 
than  /.  From  the  premises  (2)  and  (3)  it  follows  that  ^  holds  at  Ci  and  all 
subsequent  states  until  the  transition  r  is  taken;  hence  ip  holds  in  particular 
at  all  states  within  time  less  than  L  Since  ip  implies  q  by  premise  (4),  the 
given  conclusion  follows. 
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To  demonstrate  a  typical  application  of  the  single-step  lower-bound  rule, 
consider  the  single- process  system  P  with  the  data  precondition  a:  =  0  and 
the  following  transition  diagram: 

{.  =  0}  — 0  •© 

The  process  P  confirros  that  z  =  0  and  proceeds  to  the  location  £i.  Because 
of  the  initial  delay  2  of  the  transition  to_*i  ,  the  final  location  ii  cannot  be 
reached  before  time  2.  Since  the  transition  to-*i  has  to  be  attempted  at 
most  1  time  unit  after  the  initial  delay,  and  x  is  guaranteed  to  be  0  at  this 
point,  the  final  location  4  nnist  be  reached  by  time  3. 

Let  us  carry  out  a  formal  proof  of  this  analysis.  First  we  show  the 
bounded-invariance  property 

start  ^  ^<2 

that  is,  the  final  location  li  cannot  be  reached  before  time  2.  Since  Sp 
conteuns  the  lower-bound  requirement  {t0},2),  by  SS-LB  it  suffices 

to  show  the  premises  (let  the  invariant  ip  be  at{io)) 

(1)  start  —*  co'mpleted{T(ii), 

(2)  start  — »  at{lo), 

(4)  at{lo)  ->at{£i), 

all  of  which  are  trivially  valid. 

The  single-step  upper-bound  rule,  SS-UB,  uses  an  upper-bound  require¬ 
ment  (t,  u)  £U: 


SS-UB  (1) 

p  ^  {(pWq) 

(2) 

(f  — >  ready{T) 

(3) 

(p  — ►  €nabled[T) 

(4) 

{vj}T-t{v?  V?} 

(5) 

{p>}T{q} 

p  0<u? 

This  rule  derives  a  temporal  bounded-response  formula  from  premises  all  of 
which  are  state  formulas.  The  state  formula  (p  is  called  the  invariant  of  the 
rule.  The  premise  (4)  is  always  valid  for  the  empty  transition  T0  and  the 
idle  transition  tj. 
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To  see  that  the  nile  SS-UB  is  5-sound,  suppose  that  the  premises  (1) 
through  (5)  are  valid,  and  consider  an  arbitrary  computation  of  5  conteiining 
a  p-state  (Ti.  Prom  the  premises  (1),  (4),  and  (5)  it  follows  that  holds  at 
(Ti  and  all  subsequent  states  until  a  g-state  is  reached.  Hence,  the  premises 
(2)  and  (3)  imply  that  r  is  continuously  ready  and  enabled  until  a  5-state  is 
reached.  Thus  either  a  g-state  is  reached  within  time  u,  or  the  transition  r 
is  taken  within  time  u,  which  by  premise  (5)  results  again  in  a  g-state  within 
time  u.  The  desired  conclusion  follows. 

Consider  again  the  single-process  system  P  from  above;  we  show  the 
bounded-response  property 

{ready- at{ro^i)  A  x  =  0)  =>  0<i  at{ii),  (t) 

where  the  abbreviation  ready- at{Tj^k)  stands  for  the  state  formula 

at{lj)  A  ready{Tj^k)’ 

Since  Sp  contains  the  upper-bound  requirement  by  SS-UB  it 

suffices  to  show  the  premises  (let  the  invariant  (p  be  p) 

(2)  {ready- at{ro^i)  A  r  =  0)  ready{ro^i), 

(3)  {ready- ai{ro^i)  A  x  =  0)  ^  enabled {tq^i), 

(5)  {ready- at{ro^i)  A  x  =  0}  to_i  {at{£i)}, 

aU  of  which  are  ecisily  derived. 

Boimded-response  properties  about  the  readiness  of  transitions  follow 
from  lower-bound  requirements.  Suppose  that  (r,  T, /)  G  £  is  the  only  lower- 
bound  requirement  for  the  transition  r;  then: 

READY  (1)  p^q 

(2)  p  ^  □<;? 

(3)  q  -^enabled{T) _ 

p  =»  0<j  (?  A  ready{T)) 

The  premises  (1)  and  (3)  are  state  formulas;  the  premise  (2)  can  be  estab¬ 
lished  using  the  single-step  lower-bound  rule. 

To  see  that  the  rule  READY  is  5-sound,  suppose  that  the  premises 
(1)  through  (3)  are  5-valid,  and  consider  an  arbitrary  computation  of  S 
containing  a  p-state  tr,.  From  the  premises  it  follows  that  q  holds  and  no 
trigger  transition  from  T  is  enabled,  and  hence  taJcen,  at  ci  cind  all  sub¬ 
sequent  states  within  time  less  tham  1.  Thus  r  becomes  ready  by  the  first 
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state  CTj  with  j  >  i  that  is  not  within  time  less  than  I  of  Ci.  If  /  =  0,  then 
(Tj  =  CTi  is  a  g-state  by  premise  (1).  Otherwise,  a  clock  tick  is  completed  at 
position  j,  in  which  case  erj  is  identical  to  its  predecessor,  and  thus  a  g-state 
by  premise  (2). 

In  our  example,  (to_i,  {t0},2)  is  the  only  lower-bound  requirement  for 
the  transition  to_»i.  Therefore  we  can  use  the  rule  READY  to  establish 

start  0<2  {ready- at{To-,i)  A  X  =  0)  (t) 

from  the  premises 

(1)  start  — >  {at{£o)  A  ®  =  0), 

(2)  start  =r>  ^<2  (at('^o)  A  a:  =  0), 

(3)  at{lo)  — »  ->enabled{Tii,). 

The  state  formulas  (1)  and  (3)  are  trivially  valid;  the  bounded-invariance 
formula  (2)  can  be  derived  by  the  single-step  lower-boimd  rule  SS-LB,  using 
the  lower-bound  requirement  (to_i,  {t0},2)  and  the  invariant  at{io)Ax  =  0. 

Next,  we  present  a  rule  that  allows  us  to  prove  boimded-response  prop¬ 
erties  that  result  from  combining  a  finite  number  of  successive  bounded- 
response  properties  —  the  transitive  upper-bound  rule: 

TRANS-UB  (1)  p  =»  r 

(2)  r  ^<u;  Q _ 

p  q 

It  is  not  hard  to  see  that  this  rule  is  5-sound  for  every  real-time  transition 
system  5. 

In  our  example,  we  use  the  transitive  upper-bound  rule  TRANS-UB 
to  combine  the  two  properties  (J)  and  (■!■).  Thus  we  conclude,  at  last,  the 
bounded-response  property  that  the  final  location  £i  is  reached  by  time  3: 

start  0<3  at{ii). 


4.2  Multiple  processes 

So  far  we  have  only  examined  a  single- process  example.  In  general,  several 
processes  that  communicate  through  shared  variables  interfere  with  each 
other. 

Consider  the  two-process  system  with  the  data  precondition  i  =  1  and 
the  following  transition  diagrams: 
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The  first  process,  Pi,  is  identical  to  our  previous  example;  after  an  initial 
delay  of  2  time  units,  it  confirms  that  a:  =  0  and  proceeds  to  location  i\. 
However,  this  time  the  value  of  x  is  not  0  from  the  very  beginning,  but  set 
to  0  by  the  second  process,  P2,  only  at  time  1  (note  that  due  to  the  imtial 
delay  1  and  the  delay  increment  0,  the  value  of  x  is  set  to  0  exactly  at  time 
1).  Since  Pi  does  not  check  the  value  of  x  before  time  2,  it  is  guaranteed  to 
find  the  value  of  a:  to  be  0.  Thus,  Pi  reaches  its  final  location  £]  again  at 
the  earhest  at  time  2  and  at  the  latest  at  time  3. 

Let  us  conduct  a  formal  proof.  First  we  show  the  bounded-invariance 
property 

start  => 

that  is,  Pi  does  not  terminate  before  time  2.  The  proof  proceeds  as  in 
the  case  of  a  single  process,  using  the  single-step  lower-bound  rule  SS-LB 
and  the  lower-bound  requirement  {t0},2)  (take  the  invariant  a<(^o))- 

Since  the  new  process  P2  contributes  the  transition  we  have  to  estab¬ 

lish  an  additional  noninterference  premise, 

(3)  ToU 


which  is  easily  derived. 

To  prove  the  corresponding  upper  bound  on  termination  in  the  two- 
process  case,  we  need  a  stronger  rule  than  the  transitive  upper-bound  rule 
TRANS-UB.  The  rule  OVERLAP  allows  us  to  prove  bounded-response 
properties  that  result  from  combining  a  finite  number  of  parallel  (overlap¬ 
ping)  boimded-response  properties: 


OVERLAP  (1) 

P  =>  0<«i  r 

(2) 

P  ^  0<U7  « 

(3) 

{r}  T  {rW  g} 

(4) 

{s}T{sWq} 

(5) 

{r  ^s)  =J>  0<U3  q 

p  =>  ^<maa:(txi  ,U2  )-fiX3  ^ 

19 


Note  that  the  premises  (3)  and  (4)  are  always  5- valid  for  the  empty  transi¬ 
tion  T0  and  the  idle  transition  r/. 

To  see  that  the  nile  OVERLAP  is  5-sound,  suppose  that  the  premises 

(1)  through  (5)  are  5- valid,  and  consider  an  arbitrary  computation  of  5 
containing  a  p-state  <Tj.  By  the  premises  (1)  and  (2),  (7%  is  followed  by  an 
r-state  (Tj  within  time  Ui,  and  an  s-state  Ck  within  time  u^.  Without  loss 
of  generality  we  assume  that  j  <  k.  Because  of  the  premise  (3),  either  there 
is  a  g-state  within  time  U2,  thus  implying  the  desired  conclusion,  or  both 
T  and  s  hold  at  o-fc.  In  the  latter  case,  it  follows  from  the  premise  (5)  that 
there  is  a  g-state  within  time  U2  +  ^3,  which  again  imphes  the  conclusion  of 
the  rule. 

In  our  example,  we  use  the  rule  OVERLAP  to  estabhsh  the  bounded- 
response  property  that  Pi  terminates  within  3  time  umts; 

start  ^  0<3at(.?J). 

It  suffices  to  show  the  premises 

(1)  start  ^  0<2  ready-ot(To_i), 

(2)  start  =>  0<i(z  =  0), 

(3)  {ready-at{T^_i)}  t^_,i 

(3')  {ready-at{T^^i)}  t§_,i  {ready-at{T^_i)}, 

(4)  {x  =  0} 

(4')  {*  =  0}  {a:  =  0}, 

(5)  (ready-at(To_^i)  A  x  =  0)  =>  0<i  ot(ij). 

The  premise  (1)  can  be  derived  by  the  rule  READY  similarly  to  the  cor¬ 
responding  property  (f)  in  the  case  of  a  single  process.  The  premise  (5) 
is  identical  to  the  property  (t),  only  that  the  proof  of  the  necesssu-y  new 
noninterference  conditions  requires  the  axiom  READY-INV ,  as  does  the 
proof  of  the  noninterference  premise  (3')-  The  noninterference  premises  (3), 

(4),  and  (4')  are  trivially  valid. 

The  essentieil  difference  between  the  single-process  smd  the  present  sys¬ 
tem  is  manifested  by  the  premise  (2):  while  the  precondition  of  the  former 
already  includes  a:  =  0,  in  the  current  system  x  =  0  is  estabhshed,  “in  time,” 
by  the  second  process  P2-  We  show  the  premise  (2)  by  an  apphcation  of  the 
transitive  upper-bound  rule  TRANS-UB  to  the  properties 

(2.1)  start  =>>  0<i  ready-at(T^_i), 

(2.1)  ready-at(T^_,i)  ^  O<o(x  =  0). 
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The  first  condition,  property  (2.1),  is  shown  by  single-step  reasoning  using 
the  rules  READY  and  SS-LB  with  respect  to  the  lower-bound  requirement 
(To_i,{r(5},l);  the  second  condition,  (2.2),  can  be  estabhshed  by  the  rule 
SS-UB,  employing  the  upper-bound  requirement  (to_,i,0). 

In  the  example  we  just  considered,  the  transition  To_i  becomes  enabled, 
with  the  help  of  the  process  P2,  before  it  is  ready.  Now  let  us  turn  this 
situation  around,  and  have  be  ready  before  it  is  enabled  by  P2: 


(The  data  precondition  is  again  x  =  1.) 

In  this  new  system,  the  second  process  P2  sets  x  to  0  only  at  time  5,  after 
process  1  has  checked  the  value  of  x  at  least  twice.  Since  the  first  process  Pi 
keeps  testing  whether  x  =  0  at  least  every  time  unit,  it  will  reach  its  final 
location  either  at  time  5  or  at  time  6. 

The  formal  proof  of  the  bounded-invariance  property 

start  ^  ^<6  -iat(^J), 

that  Pi  does  not  terminate  before  time  5,  uses  again  the  the  single-step 
lower-botmd  rule  SS-LB;  however,  this  time  the  crucial  lower-bound  re¬ 
quirement  is  the  one  for  TQ_-y,  namely  (to_i,  {t0},5).  We  need  to  show  the 
premises 

(1)  start  — »  completed{TfD), 

(2)  start  (a<(£o)  A  x  =  1), 

(3)  {at{ll)  A  X  =  1}  roi_i  {a<(£j)  A  x  =  1}, 

(4)  {at{tl)  A  X  =  1)  -'at(^i), 

all  of  which  can  be  concluded  easily. 

The  corresponding  bounded-response  property  that  Pi  terminates  within 
6  time  units: 

start  =>  0<6 

can  be  inferred  by  the  rule  OVERLAP  just  as  in  the  previous  example. 
AU  of  the  premises 
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(1)  start  =>  0<2  read2/-a^(rQ_^i), 

(2)  start  =>  ^<5(ic  =  0), 

(3)  {ready-at{T^_-^)}  {af(^J)}, 

(3')  {ready-at{T^_^)}  r|_i  {ready- at{T^_-^)}, 

(4)  {i  =  0}  ro^_i  {a<(^l)}, 

(4')  {®  =  0}  {z  =  0}, 

(5)  (ready- at{TQ_i)  A  i  =  0)  ^  0<i  at(l\) 

can  be  derived  as  before. 

4.3  Transitivity  rules 

After  having  looked  at  the  parallel  composition  of  transitions,  we  illustrate 
how  to  prove  bounded- invariance  and  bounded-response  properties  of  a  chain 
of  sequentially  composed  transitions.  We  use  two  transitivity  rules  to  com¬ 
bine  a  finite  number  of  nonoverlapping  real-time  properties. 

The  transitive  upper-bound  rule  TRANS-UB  has  been  given  above; 
the  transitive  lower-bound  rule  TRANS-LB  combines  two  bounded-unless 
properties: 


This  rule  is  easily  seen  to  be  S-sorm^  for  every  real-time  transition  system 

5. 

Recall  that  from  the  conclusion  of  this  rule  we  can  infer  the  bounded- 
invariance  property 

P=>^<li+hQ 

by  an  application  of  the  boimded-invariance  rule  BD-INV.  We  shall  often 
neglect  to  mention  this  simple  proof  step  exphcitly. 

To  establish  the  premises  of  the  rule  TRANS-LB,  we  need  to  strengthen 
the  single-step  lower-bound  rule  SS-LB  to  infer  a  bormded-unless  property. 
For  any  lower- bound  requirement  (t,T, /)  € 
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SS-LBU  (1)  p  completed{T) 

(2)  p^tp 

(3)  {^}T-rM 

(4)  tp-*  q 

(5)  {y}T{y>Vr} 
p  ^  q  U>/  r 


To  see  that  the  new,  stronger,  single-step  lower-bound  rule  SS-LBU  is 
5-sound,  simply  observe  that  we  have  added  the  premise  (5)  to  the  original 
rule  SS-LB.  This  additional  condition  guarantees  that  the  invariant  ip  — 
as  well  as  q,  due  to  the  premise  (4)  —  holds  until  an  r-state  is  encountered 
(if  ever).  Thus  the  original  rule  SS-LB  covers  the  special  case  in  which  the 
state  formula  r  is  chosen  to  be  true. 

We  demonstrate  the  application  of  the  transitivity  rules  by  examining 
the  single-process  system  P  with  the  following  transition  diagram: 


truel 


2  +  r 


We  want  to  show  that  P  terminates  not  before  time  4  and  not  after  time  6. 

Given  a  transition  diagram  containing  the  location  let  In{t)  be  the  set 
of  transitions  that  correspond  to  incoming  edges  (i.e.,  edges  whose  target 
location  is  ^);  if  ^  is  an  entry  location,  let  In{£)  =  particular, 

T/  0  In{£)  for  any  location  I,  We  introduce  the  abbreviation  enieril)  to 
stand  for  the  state  formula 

at{l)  A  compleied[In{l)). 

For  instance,  enier[tx)  stands,  in  our  example,  for  ai[li)  A  compleied{rQ^i). 

Now  let  us  derive  the  real-time  bounds  on  the  termination  of  P .  First, 
we  prove  the  lower  bound 


siari  ^<4  ■^at(£2)- 

By  the  transitive  lower-bound  rule  TRANS-LB  (and  a  tacit  application  of 
BD-INV),  it  suffices  to  show  the  premises 

(1)  start  =>  (•^at(£2))  U>2  enter(^i), 

(2)  €nter{£i)  =>  (“iai(^2))  U>2 
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Both  of  the  premises  can  be  estabhshed  by  the  single-step  lower-bound  rule 
SS-LBU.  To  show  the  premise  (1),  we  use  the  lower-bound  requirement 
(to_i,{to},2)  and  the  invariant  at(4);  the  premise  (2)  follows  from  the 
lower-bound  requirement  (ti— »2,  {to— >i},2)  and  the  invariant 
The  corresponding  upper  boimd 

start  ^  0<6 


is  derived  by  the  transitive  upper-bound  rule  TRANS-XTB.  It  suffices  to 
show  the  premises 

(1)  start  0<z  enter{li), 

(2)  enter{li)  0<3  at{i2), 

both  of  which  can  be  estabhshed  by  single-step  upper-bound  reasoning  as 
demonstrated  in  the  previous  subsections. 

A  more  interesting  case  involving  transitive  reasoning  can  be  illustrated 
on  the  following  two-process  system  with  the  data  precondition  x  =  0: 


Pi: 

{x  =  0} 
P2: 


X  =  0? 


2  +  1' 


In  any  analysis  of  this  system,  we  have  to  distinguish  two  cases.  The  first 
process,  Pi,  may  reach  its  final  location  l\  before  the  second  process,  P2, 
sets  the  value  of  x  to  1,  or  vice  versa.  In  the  latter  case,  Pi  has  to  wait  until 
P2  resets  the  value  of  x  to  0.  Consequently,  Pi  may  terminate  as  early  as 
at  time  2  or  as  late  as  at  time  7. 

The  lower  bound, 

start  =>  ^^<2  “‘^^(^i)j 

follows  by  single-step  reasoning  with  respect  to  the  lower-bound  requirement 
(to^-.i,  {r0},2).  The  upper  bound, 

start  =>  0<r  at{£\)y 


is  established  by  the  rule  OVERLAP.  All  of  the  premises 
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(1)  start  =>  0<2ready-at{T^_^-^), 

(2)  start  =»  0<e{a,t{(-2)  A  i  =  0), 

(3)  {ready-af(T^^i)}  {ai(^i)}, 

(3')  {ready-at{T^_-y)}  {ready-at{T^_-^)}, 

(3")  {ready-at{T^^i)}  {ready- at{T^_,^)}, 

(4)  {at{ll)  A  X  =  0}  ToLi  {a<(il)}, 

(4')  {at{l\)  A  I  =  0}  {at{£l)  A  i  =  0}, 

(4")  {at{ll)  A  a:  =  0}  {at{tl)  Ax  =  Q}, 

(5)  {ready- at{TQ_^^)  A  at{£2)  A  i  =  0)  =>  0<i 

can  be  derived  by  single-step  reasoning,  except  for  (2),  which  follows  by 
the  transitive  upper-bound  rule  TRANS- XJB  from  the  single-step  upper 
boimds 

start  =»  <><zenter{£\) 

and 

enter{£\)  =^>  0<3  {at{£l)  A  x  =  0). 


4.4  Disjunction  rules 

The  simple  transitivity  rules  are  not  powerful  enough  to  handle  programs 
with  brsinching  structures  that  axe  more  comphcated  than  trees;  reasoning 
about  confluent  branches  requires  a  case  analysis.  The  disjunctive  lower- 
bound  rule  DIS-LB  and  the  disjunctive  upper-bound  rule  DIS-UB  provide 
the  means  for  combining  the  parts  of  a  case  splitting: 


DIS-LB  (1) 

(2) 

Pi  =>  r 

P2  =»  9  U>jj  r 

(piVp2)  =»  9U>Tntn(;i,J2)^ 

DIS-UB  (1) 

Pi  ^  ^<ui  9 

(2) 

P2  =>  0<U2  9 

(Pl  V  P2)  ^  ^<max(ui ,U2)  ? 

Both  disjimction  rules  are  easily  seen  to  be  5-sound  for  every  real-time 
transition  system  5. 

For  an  application  of  the  disjunction  rules,  consider  the  process  P  with 
the  following  transition  diagram: 
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We  show  that  P  terminates  at  time  3,  independently  of  the  initial  value  of 

X. 

Any  proof  considers  two  cases:  either  x  is  initially  0  and  the  transition 
To-i  is  taken,  or  x  is  initially  different  from  0  and  the  alternative  transition 
To_2  is  taken.  The  lower  bound, 

start  Do  ”ia^(^3), 

follows  by  the  disjunctive  lower-bound  rule  DIS-LB  from  the  premises 

(1)  {start  A  a;  =  0)  {~iat{ls))^>z  true, 

(2)  {start  A  a;  7^  0)  =>  U>3  trtie; 

the  upper  bound, 

start  0<3at(£3), 

follows  by  the  disjunctive  upper- bound  rule  DIS-UB  from  the  premises 

(1)  {start  A  aj  =  0)  0<3  enter (£i), 

(2)  {start  A  X  ^  0)  0<3  enter(^i). 

All  four  of  the  premises  can  be  established  by  single-step  and  transitive 
reasoning  as  demonstrated  in  the  previous  subsections. 

We  remark  at  this  point  that  our  proof  system  is  not  strong  enough  to 
show  tight  bounds  on  nondeterministic  systems.  To  see  this,  consider  the 
following  nondeterministic  variant  P'  of  the  process  P: 
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During  an  execution  of  P' ,  one  (if  any)  of  the  two  transitions  To_ti  and  To_,2 
is  chosen  nondeterministically  (in  general,  a  vertex  of  a  transition  diagram  is 
nondeterministic  iff  any  two  guards  that  are  associated  with  outgoing  edges 
are  not  disjoint). 

To  show  the  lower  bound 

start  □<3-iat(^3) 

on  the  termination  of  P',  we  need  to  express  and  prove  more  complex  tem¬ 
poral  properties  than  are  permitted  in  our  simple  specification  language. 
For  instance,  the  property  that  the  control  of  P'  resides  at  the  location  lo 
either  forever  or  until,  no  sooner  than  at  time  2,  it  proceeds  to  the  location 
l-y  or  untU,  no  sooner  than  at  time  1,  it  proceeds  to  the  location  I2,  cannot 
be  stated  as  a  simple  bounded-unless  formxila.  On  the  other  hand,  in  tem¬ 
poral  logic  with  time-bounded  operators  this  property  can  be  expressed  by 
the  formula 

start  =»  ^o<(4)  U>2  enter(£i)  V  ot(£o)  U>i  enter(£2))  • 

An  extension  of  our  specification  language  to  disjunctive  properties  of  this 
form  and  the  detailed  treatment  of  nondeterminism  is  deferred  to  a  separate 
paper  ([HMP91]). 

4.5  Induction  rules 

To  prove  lower  and  upper  botmds  on  the  execution  time  of  program  loops, 
we  need  to  combine  a  state- dependent  number  of  boimded-in variance  or 
bounded-response  properties.  For  this  purpose  we  introduce  two  induction 
rules  —  the  inductive  lower-bound  rule  IND-LB  and  the  inductive  upper- 
bound  rule  IND-UB. 

Assume  that  the  variable  i  €  7  ranges  over  the  natural  numbers  N;  for 
any  n  €  N: 

IND-LB  (1)  p  <p{n) 

(2)  (¥?(£)  A  i  >  0)  g  U>i  ip{i  -  1) 

(3)  y>(0)  r _ 

P  =>  9  U>n.;  r 

By  ip[i  -  1)  we  denote  the  state  formula  that  results  from  the  inductive  in¬ 
variant  ^(i)  by  replacing  all  occurrences  of  the  variable  i  with  the  expression 
i  -  1;  the  formulas  (p[n)  and  ^>(0)  are  obtained  analogously. 
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To  see  that  the  rule  IND-LB  is  5-sound,  for  any  system  5,  suppose 
that  the  premises  (1)  through  (3)  are  S-valid,  and  consider  an  arbitrary 
computation  of  5  containing  a  p-state  (Tk^-  Then  ip{n)  holds  at  by 
premise  (1).  Erom  the  main  premise  (2)  it  follows  that  either  q  is  true  at 
ak^  and  all  subsequent  states,  or  there  is  a  sequence  of  positions  < 

...<  ko  such  that  each  ffjt.,  0  <  i  <  n,  is  a  and  q  is  true  at  aU 

intermediate  states  <Tj,  kn  <  j  <  ko]  furthermore,  the  premise  (2)  implies 
that  any  two  positions  ki  and  kj,  i  ^  j,  in.  this  sequence  are  at  least  time  I 
apart.  In  either  case,  the  desired  conclusion  follows. 

The  inductive  upper-bound  rule  uses  again  a  variable  i  that  ranges 
over  the  natural  numbers  INI .  For  any  n  €  N : 

IND-UB  (1)  p  ^  ^(n) 

(2)  (v’(0  A  i  >  0)  ^  0<„  <p{i  -  1) 

(3)  y(0)  q _ 

P  0<n-u9 

It  is  not  hard  to  convince  ourselves  that  this  rule  is  5-sound  for  every  real¬ 
time  transition  system  5  as  well. 

We  demonstrate  the  application  of  the  induction  rules  by  analyzing  the 
single-process  system  P  with  the  data  precondition  ®  =  5  suid  the  following 
transition  diagram: 

X  ^  0  — >  z  :=  z  —  1 

{*  =  6}  '■© 

The  process  P  decrements  the  value  of  z  until  it  is  0,  at  which  point  P 
proceeds  to  the  location  li-  Since  z  starts  out  with  the  value  5,  and  each 
decrement  operation  takes  at  least  2  and  at  most  3  time  units,  while  the 
tests  are  instantaneous,  the  final  location  l\  is  reached  not  before  time  10 
and  not  after  time  15. 

To  prove  the  bounded-invariance  property 

start  =>  ^<10 

we  first  apply  the  bounded-invariance  ride  BD-INV ,  showing  instead 
start  ^  (-<at(^i))  U>io  A  z  =  0). 
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By  the  inductive  lower-bound  rule  IND-LB,  it  suffices  to  show  the  premises 

(1)  start  {enter{lo)  A  a:  =  5), 

(2)  {enter{io)  Ax  —  ^ 

(-iat(ii))  U>2  {enter{lo)  A  x  =  i-l). 

The  first  premise,  (1),  is  trivially  valid;  the  second  premise,  (2),  follows  fi-om 
the  single-step  lower-bound  rule  SS-LBU  with  respect  to  the  lower-bound 

requirement  (  To-*o  s  {t®  ,  to-,o  }  1 2 ) . 

Now  let  us  prove  the  bounded-response  property 

start  ^  *^<15 

Applying  the  transitive  upper-bound  rule  TRANS-XJB,  it  suffices  to  show 

(1)  start  ^  0<i5  (eTiter(£o)  A  ®  =  0), 

(2)  (enter(£o)  A  X  =  0)  =>  O<oat(^i)- 

The  second  premise,  (2),  can  be  concluded  by  single-step  upper-bound  rea¬ 
soning  with  respect  to  the  lower-bound  requirement  (to_i,  {to,to_o})0)  and 
the  upper-bound  requirement  (tq— >1,0);  we  elaborate  only  on  how  the  first 
premise,  (1),  can  be  derived  by  an  application  of  the  inductive  upper-bound 
rule  IND-UB.  It  suffices  to  show  the  premises 

(1.1)  start  {enter{to)  A  x  =  5), 

(1.2)  {enter{to)  A  x  =  i  A  i  >  0)  =>  0<3  {enter{lo)  A  x  =  i-l). 

While  the  condition  (1.1)  is  trivially  valid,  the  main  premise,  (1.2),  fol¬ 
lows  by  single-step  upper-bound  reasoning  from  the  lower-boimd  require¬ 
ment  (to_o,{t0,To-.o},2)  and  the  upper-bound  requirement  (to_o,1)- 

The  induction  rules  can  be  generalized,  by  letting  the  bounds  I  and  u 
vary  as  functions  of  i.  We  state  only  the  general  inductive  upper-bound 
rule,  IND-GUB.  For  any  n  G  IM: 


IND-GUB  (1) 

p  '/’(") 

(2) 

(^o(t)  A  i  >  0)  =>  0<ui  (p{i  -  1) 

(3) 

yj(0)  ->  q 

P  =>  0<So«<nUi  g 

This  general  rule  is  still  S-sound  for  every  real-time  transition  system  S . 

The  general  inductive  upper-bound  rule  is  needed  to  prove  upper  bounds 
for  programs  with  loops  whose  execution  time  is  state-dependent.  Consider 
the  following  process  P: 
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To  show  that  P  terminates  within  7  time  units,  we  apply  the  rule  IND- 
GUB  to  the  inductive  invariant  enter{£o)  A  x  =  i  and  let  Ui  be  1  (2)  if  i  is 
odd  (even,  respectively).  The  main  premise, 

{enter{£o)  Aa:  =  iAi>0)  =>  C><u.  (enter(^o)  A  i  =  z  —  1), 

follows  by  the  disjunctive  upper-bound  rule  DIS-UB  from  the  two  condi¬ 
tions 

{enter[£o)  Aa:  =  zAz>0A  odd{i))  0<i  (enter(^o)  A  a:  =  z  —  1) 
and 

{enter[£o)  Ax  =  zAz>0A  even{i))  ^  C><2  {enter[£o)  A  x  =  z'  —  1). 

5  Explicit-Clock  Reasoning 

Consider  areal-time  transition  system  5  =  The  condi¬ 

tions  ready{T)  and  completed{T)  can  be  expressed  by  state  formulas  only 
if  every  state  of  S  is  situated  in  a  computation  and  contains  information 
about  the  history  of  the  computation.  To  add  this  information,  we  define 
the  extension  of  S  by  adding  a  clock  variable  whose  value  represents,  in 
every  state  of  a  computation,  the  corresponding  time. 

We  then  proceed  to  show  how  this  exphcit  access  to  the  current  time 
through  the  clock  variable  can  be  utihzed  by  a  real-time  verification  tech¬ 
nique  that  differs  substantially  from  the  one  presented  in  the  previous  sec¬ 
tion,  in  that  it  rehes  only  on  one  simple  inference  rule. 

5.1  Extended  real-time  transition  systems 

Let  us  introduce  the  following  new  variables; 

•  The  clock  variable  t  ranges  over  the  natural  numbers  N;  it  records,  in 
every  state  (t,-  of  a  computation  p  =  (o',T),  the  corresponding  time  Tj. 


30 


•  The  transition  variable  X  ranges  over  the  transition  set  T ;  it  records, 
in  every  state  of  a  computation,  which  transition  has  been  completed 
in  the  preceding  step. 

•  The  minimal-delay  counters  6r^  r  £  T,  range  over  l\l;  they  record, 
in  every  state  of  a  computation,  how  many  clock  ticks  must  happen 
before  the  transition  r  becomes  ready. 

•  The  maximal-delay  counters  Ar,r  £  T,  range  over  l\l~;  they  record, 
in  every  state  of  a  computation,  how  many  clock  ticks  may  happen 
before  the  transition  r  must  be  taken  provided  that  it  is  continuously 
ready  and  enabled. 

First-order  formulas  over  this  extended  vocabulary  are  called  extended- 
state  formulas.  The  conditions  ready [r)  and  completed{T)  are  obviously 
equivalent  to  the  extended- state  formulcis  5^  =  0  and  A  =  r,  respectively. 

The  extension  5*^  =  (y’',E", of  S  is  defined  to  be  the 
following  real-time  transition  system: 

•  F*  =  y  U  {t,  A}  U  :  r  e  r}  U  {Ar  :  r  G  T}. 

•  S*  contains  all  interpretations  of  V". 

•  Let  /(t,  f)  be  the  maximal  I  such  that  (r,  T, /)  G  C  and  f  G  T;  if  no 
such  lower-bound  requirement  exists,  let  /(t,  f)  =  0.  Furthermore,  let 
u(t)  be  the  minimal  u  such  that  (r,  u)  G  U]  u{r)  =  oo  if  no  such 
upper-bound  requirement  exists. 

0“  contains  all  extensions  of  interpretations  tr  G  0  such  that,  for 
allr  G  T, 

=  0, 

a*(A)  =  T0, 

<T''(Ar)  =  u(r). 

•  contains,  for  every  r  £  ^  transition  r"  such  that  {crl^cr^)  G  t" 

iff,  for  all  r'  G  T, 

{(^1,(^2)  e  T, 

(Ti(£r)  =  0, 

^2(^)  = 
a^iX)  =  r. 
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tT2{Sr')  =  max{l{r',r),er:^{Sr')), 

«/A  \  —  i  if  t' is  enabled  on  <T2  and  =  0 

~  I  otherwise. 

Note  that  the  second  clause,  (r^iSr)  =  0,  enforces  all  lower  bounds. 

In  addition,  T”  contains  the  tick  transition  rf  such  that  €  tj 

iff,  for  aU  t'  6  T, 


<Ti  =  (72, 

<72(t)=aj(t)  +  l, 

(r2W  =  ru 

(T*(5^()  =  max(0, 


1), 


J  <rj(AT')  —  1  if  t'  is  enabled  on  <Ti  and  =  0 

®(  ~  I  ^'^0  otherwise. 


(T2(A,0  >  0.^ 

The  last  clause  enforces  all  finite  upper  bounds. 
•  £‘‘  =  0. 


•  W  contains  (t“,  oo)  for  all  (r,  oo)  G  U.  These  remaining  upper-bound 
requirements  are  weak-faimess  conditions  that  enforce  all  infinite  up¬ 
per  bounds. 

The  real-time  transition  system  S  and  its  extension  are  equivalent  in 
the  following  sense:  for  every  computation  p  =  (cr,  T)  of  5,  there  is  a  com¬ 
putation  /?"  =  of  S"  such  that  every  state  i  >  0,  is  an  extension 

of  (Ti  to  V"  (and  =  Tj  for  aU  i  >  0);  and  for  every  computation  (cr“,T) 

of  5",  the  timed  state  sequence  (cr,T)  is  a  computation  of  5  if  every  state 
(Ti,  i  >  0,  is  the  restriction  of  (t^  to  V. 

Thus,  to  show  a  temporal  formula  ({>  (over  V)  to  be  5-valid,  it  suffices 
to  show  the  5"-validity  of 


5.2  Explicit-clock  verification 

We  point  out  that,  once  we  are  given  explicit  access  to  the  global  clock 
through  the  clock  variable  t,  both  bounded-invariance  and  bounded-response 
properties  over  V  can  alternatively  be  formulated  as  (unbounded)  unless 
properties  over  F". 

^In  evaluating  expressions,  let  oo  —  1  =  oo  >  0. 
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Unless  properties  assert  that  something  will  hold  continuously  either 
forever,  or  until  terminated  by  the  occurrence  of  another  event.  They  are 
expressed  by  temporal  formulas  of  the  form 

p  =>  5  U  r, 

for  state  formulas  p,  q,  and  r.  The  formula  p  ^  g  U  r  is  true  over  the  timed 
state  sequence  p  =  (o’jT)  iff,  for  all  i  >  0, 

if  (Tj  is  a  p-state, 

then  either  all  subsequent  Cj,  j  >  i,  zire  g-states, 
or  there  is  some  r-state  Cj,  j  >  i,  such  that  all  intermediate  (r^, 
i  <  k  <  j,  are  g-states; 

that  is,  every  p-state  is  followed  by  a  (possibly  infinite)  sequence  of  g-states 
until  there  is  an  r-state. 

In  particular,  the  bounded-invariance  property 

p  =>  D^iq 

is  5“-equivalent  to  the  unbounded  unless  property 

(p  A  t  =  T)  =>  g  U  (t  >  T  +  /), 

(i.e.,  both  formulas  eire  true  over  the  same  computations  of  5“),  and  the 
bounded-response  property 


P  =>  0<tiS 

is  5'-equivalent  to  the  unless  property 

(p  A  t  =  T)  (t  <  r  -I-  u)  U  g 

if  g  is  a  state  formula  over  V.  Both  unless  formulas  make  use  of  the  rigid 
(static)  variable  T  (i.e.,  T  =  T')  to  record  the  time  of  the  p-state.  Note  that 
the  latter  equivalence  is  based  on  the  fact  that  the  tune  is  guaranteed  to 
reach  sind  surpass  T  +  u,  for  any  value  of  T . 

These  observations  lead  to  <in  alternative  and  quite  different  approach  to 
the  verification  of  real-time  properties:  to  prove  the  S- validity  of  a  real-time 
property  <f>  (over  y),  we  estabhsh  instead  the  S“-validity  of  an  5" “-equivalent 
unless  property  (over  7“).  This  can  be  done  by  applying  the  timeless 
unless  rule: 
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UNLESS  (1) 

p  (V?  Vr) 

(2) 

(3) 

(p-,  q 

p  =>  g  U  r 

We  emphasize  that  all  premises  are  state  formulas;  the  state  formula  ip  is 
called  the  intermediate  assertion  of  the  rule.  It  is  easy  to  see  that  the  unless 
rule  is  5*“SOund. 

To  demonstrate  this  kind  of  “explicit-clock”  real-time  reasoning,  consider 
again  the  single-process  system  P  with  the  data  precondition  ®  =  0  and  the 
following  transition  diagram: 

{.=0}  —(g) 

Both  the  lower  and  the  upper  bound  on  the  termination  of  P, 
start  =>  U  (t  >  2) 

and 

start  =>  (t  <  3)  U  at(^i), 

respectively,  can  be  derived  by  the  unless  rule  UNLESS.  To  estabhsh  the 
lower  boxmd,  we  use  the  intermediate  assertion 

at{lo)  A  (0  <  t  <  2)  A  (t  +  =  2). 

The  upper  boimd  follows  from  the  intermediate  assertion 

at{£o)  A  (z  =  0)  A  (0  <  t  <  3)  A 
(0  <  <  2)  A  (0  <  <  1)  A  (t  +  5to-.x  +  Arcx  =  3). 

While  the  verification  style  presented  in  Section  4  refers  to  time  only 
through  time-bounded  temporal  operators,  exphcit-clock  reasoning  uses  or¬ 
dinary,  timeless,  temporal  operators  and  refers  to  the  time  in  state  fonnulas. 
Both  styles  trade  off  the  complexity  of  the  temporal  proof  structure  against 
the  complexity  of  the  state  invarieints:  the  method  of  Section  4  rehes  on 
complex  proof  structures  similar  to  the  proof  lattices  used  to  estabhsh  or¬ 
dinary  (timeless)  liveness  properties  ([OL82],  [MP89]),  and  uses  relatively 
simple  invariants;  the  method  of  the  present  section  employs  only  the  simple 
unless  rule  —  a  safety  rule  — ,  but  requires  powerful  intermediate  assertions. 
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Related  work.  There  has  been  an  increasing  amount  of  literature  on  the 
formal  analysis  of  real-time  systems  in  recent  years,  and  as  the  number  of 
researchers  has  proliferated,  so  has  the  number  of  computational  models. 

We  restrict  ourselves  to  pointing  to  some  of  the  work  that  builds  on  the 
timing  model  we  have  used  —  that  of  a  global,  discrete,  and  asynchronous 
clock:  [Os90]  uses  an  explicit  clock  variable  for  rezil-time  reasoning,  and 
includes  many  interesting  applications;  [Ko89]  introduced  the  boimded  tem¬ 
poral  operators  we  use  in  our  specification  Izinguage;  [Ha88]  sind  [PH88] 
contrast  the  interleaving  model  with  a  s)Tichronous  model;  [DW90]  use  fi¬ 
nite  automata  for  the  specification  (2uid  synthesis)  of  real-time  systems. 

More  theoretical  accounts  on  specification  languages  for  timed  state  se¬ 
quences  can  be  found  in  [AH89],  [AH90],  and  [HLP90],  all  of  which  in¬ 
clude  methods  for  the  automatic  verification  of  finite-state  real-time  sys¬ 
tems.  [He90]  gives  a  complete  deductive  system  for  a  propositional  real-time 
logic. 
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